update-notifier message about recording mount passphrase

It just occurred to me that this might get much more tricky than I thought. update-notifier messages are system level, thus (1) only admins will see such a note if I'm not mistaken, and (2) once the first admin ack'ed it, other users won't see it any more.

What we want is a per-user notification. Maybe we can abuse the messaging system that gnome-screensaver has, or otherwise just use libnotify-send. I'll ponder this a bit.

update-notifier in jaunty supports per-user notifications as well. Just add:
OnlyAdminUsers: False
to the note.

And test if it really works of course ;) But it should

This bug was fixed in the package ecryptfs-utils - 73-0ubuntu3

---------------
ecryptfs-utils (73-0ubuntu3) jaunty; urgency=low

  * Add interactive update-notifier hook for reminding the user to write down
    the autogenerated passphrase: (LP: #352307)
    - Add debian/local/ecryptfs-remind-passphrase: update-notifier hook, with
      German translations. (Unfortunately this package is not gettextized yet,
      thus translations have to be added inline).
    - debian/ecryptfs-utils.install: Install above into
      /usr/share/ecryptfs-utils.
    - Add update-notifier-remind-passphrase.dpatch: Create update-notifier
      message about recording your passphrase, if it was generated randomly,
      and ecryptfs-setup-private is run as root.

 -- Martin Pitt <email address hidden> Sun, 05 Apr 2009 12:34:44 -0700

Thanks, Michael, this works fine.

I uploaded a new ecryptfs-utils which should make this work. I tested it with a new non-admin user "joe" and

  sudo ecryptfs-setup-private -u joe; sudo chown joe:joe /home/joe/.ecryptfs

Caveats:

 - All users with an existing ~/.ecryptfs/wrapped-passphrase get the notification.

 - If I don't do the chown above, /home/joe/.ecryptfs/ gets owned root:root, and the notification fails. Is that a bug in ecryptfs-setup-private, or am I just calling it wrongly?

 - I couldn't really test it the full way from the installer, it is much easier to do this once the package is uploaded and on the daily CDs. Dustin, can you please test this with the next daily and tell me what you think?

 - Please fix my bad English in the strings.

I attach the uploaded debdiff.

Martin,

The proper way of testing the encrypt-home bit is:

 $ sudo adduser --encrypt-home joe

As for setting up an encrypted-private, the user 'joe' would set this
up himself by just running:
 joe@ubuntu$ ecryptfs-setup-private

Sorry for not sending you these earlier!

:-Dustin

I'm reopening this bug, marking in progress, will upload a new fix momentarily. I'm moving around the code that Martin committed just a bit, using the pam_ecryptfs module to conditionally handle the update-notifier.

I worked with him over lunch on this, and I think we have a good solution now.

:-Dustin

This bug was fixed in the package ecryptfs-utils - 73-0ubuntu5

---------------
ecryptfs-utils (73-0ubuntu5) jaunty; urgency=low

  Reworked the fixes for LP: #352307 (Upstream Committed revision 373)
  * debian/local/ecryptfs-remind-passphrase: run if
    ~/.ecryptfs/.wrapped-passphrase.recorded does NOT exist; touch that
    file upon successful run of unwrap passphrase
  * debian/patches/00list,
    debian/patches/update-notifier-remind-passphrase.dpatch: dropped, since
    this was moved into PAM

 -- Dustin Kirkland <email address hidden> Tue, 07 Apr 2009 14:18:24 -0700